b'September 18, 2009\n\nROSS PHILO\nEXECUTIVE VICE PRESIDENT, CHIEF INFORMATION OFFICER\n\nSUBJECT: Audit Report \xe2\x80\x93 External Public Key\n         Infrastructure Services \xe2\x80\x93 Fiscal Year 2009\n         (Report Number IS-AR-09-012)\n\nThis report presents the results of our audit of the U.S. Postal Service\xe2\x80\x99s external Public\nKey Infrastructure (PKI) services (Project Number 09RG017IS000). The objective was\nto determine whether the Postal Service effectively managed its external PKI services in\ncompliance with established guidance. This audit was performed at the request of\nPostal Service management to ensure that the external PKI services continue to\noperate at a level to become cross-certified with the U.S. Government\xe2\x80\x99s Federal Bridge\nCertification Authority (FBCA). See Appendix A for additional information about this\naudit.\n\nConclusion\n\nThe Postal Service generally managed its external PKI services1 in compliance with\nestablished guidance. However, we identified inconsistencies between Postal Service\npolicies, FBCA policies, and the external PKI environment.\n\nPostal Service PKI Policies and FBCA Certificate Policy (CP)\n\nWe found inconsistencies with internal Postal Service PKI policies and between Postal\nService and FBCA policy. Postal Service staff did not perform periodic reviews to\nensure PKI policies were consistent with each other and with federal PKI policy.\nInconsistent PKI policies could delay future cross-certification between the Postal\nService and the FBCA. See Appendix B for our detailed analysis of this topic.\n\nPostal Service External PKI Policies and PKI Environment\n\nThe Postal Service external PKI environment was not consistent with certain policies in\ntheir Certification Practice Statements (CPSs). Postal Service PKI policies were not\nperiodically reviewed to ensure the environment was operating in compliance with\nstated policies because of limited focus on cross-certification prior to the planned\nclosing of the external PKI environment. Management could delay future cross-\n\n1\n  PKI is the combination of software, encryption technologies, processes, and services that enables an organization\nto secure its communications and business transactions.\n\x0cExternal Public Key Infrastructure Services \xe2\x80\x93                                 IS-AR-09-012\n Fiscal Year 2009\n\n\ncertification between the Postal Service and the FBCA by not operating the external PKI\nenvironment in compliance with PKI policies. See Appendix B for our detailed analysis\nof this topic.\n\nWhen brought to their attention, management took action to correct the issues we\nidentified. While we acknowledge management\xe2\x80\x99s timely action to resolve the issues, we\nare making a recommendation that, if implemented, should prevent similar issues in\nfuture years.\n\nWe recommend the Executive Vice President, Chief Information Officer, direct the\nManager, Corporate Information Security, to:\n\n1. Establish milestones to periodically review Postal Service Public Key Infrastructure\n   policies and environment in relation to Federal Bridge Certification Authority\n   Certificate Policy.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with the recommendation. On an annual basis beginning\nFebruary 2010, the PKI manager will ensure a cross-certified Certificate Authority (CA)\nis compared for consistency to the FBCA\xe2\x80\x99s Certificate Policies and also that the Postal\nService CPSs are compared with one another for consistency of language and\nprocedures. See Appendix C for management\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service Office of Inspector General (OIG) considers management\xe2\x80\x99s\ncomments responsive to the recommendation and their corrective action should resolve\nthe issues identified in the report.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, Director,\nInformation Technology, or me at (703) 248-2100.\n\n    E-Signed by Darrell E. Benjamin, Jr\n    VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\n\n\n\n                                                      2\n                                           Restricted Information\n\x0cExternal Public Key Infrastructure Services \xe2\x80\x93                       IS-AR-09-012\n Fiscal Year 2009\n\n\ncc: John T. Edgar\n    Charles L. McGann, Jr\n    Mark J. Stepongzi\n    Joseph J. Gabris\n    Bill Harris\n\n\n\n\n                                                      3\n                                           Restricted Information\n\x0cExternal Public Key Infrastructure Services \xe2\x80\x93                                                           IS-AR-09-012\n Fiscal Year 2009\n\n\n                            APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nPKI is the combination of software, encryption technologies, processes, and services\nthat enables an organization to secure its communications and business transactions.\nA PKI relies on the exchange of digital certificates between authenticated users and\ntrusted resources. A CA is a basic component of a PKI. A CA issues certificates to\nusers, computers, and services and manages those certificates.\n\nTo support PKI-enabled applications, an organization must design and implement the\nCA hierarchy. Common roles in a CA hierarchy include a root CA, a policy CA, and an\nissuing CA. The Postal Service\xe2\x80\x99s external PKI2 consists of a root CA, an intermediate\nCA, and two subordinate CAs in Eagan, MN.\n\nThe CP is a written document that defines how an organization issues and uses\ncertificates and what measures the organization uses to validate the subjects of the\ncertificates. The CP also includes the legal requirements an organization must follow\nwhen using certificates that its PKI issues. The CPS is a statement of practices a CA\nuses to issue, revoke, and manage certificates. Different practice statements may exist\non each CA in the hierarchy based on the type of certificates the CA issues and to\nwhom the CA issues them.\n\nHomeland Security Presidential Directive 12 (HSPD-12)3 established a federal policy to\ncreate and use a government-wide secure and reliable form of identification for federal\nemployees and contractors. Currently, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxx. However, the Federal Information Processing Standard Publication 201\nrequires every HSPD-12 credential the government issues to contain an external digital\ncertificate. As a result, the Postal Service created a CA server room xxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx that houses the\nexternal PKI environment. This environment could authenticate and verify government-\nwide identification badges issued to Postal Service employees and contractors.\n\nThe Federal Public Key Infrastructure Policy Authority (FPKIPA) is an interagency body\nset up under the Chief Information Officers Council to enforce digital certificate\nstandards for trusted identity authentication across federal agencies and among federal\nagencies and outside bodies. The FBCA is an information system that facilitates an\nentity accepting certificates issued by another entity for a transaction.\n\nIn support of HSPD-12, the FPKIPA approved the Postal Service\xe2\x80\x99s external PKI for\ncross-certification in October 2006 at a medium hardware level. The FPKIPA requires\n\n2\n  The Postal Service refers to their policy CA as an intermediate CA and refers to their issuing CA as a subordinate\nCA.\n3\n  Policy for a Common Identification Standard for Federal Employees and Contractors, dated August 27, 2004.\n\n\n\n                                                          4\n                                               Restricted Information\n\x0cExternal Public Key Infrastructure Services \xe2\x80\x93                                                           IS-AR-09-012\n Fiscal Year 2009\n\n\nan annual compliance audit and considers a delta compliance audit4 acceptable in lieu\nof a full compliance audit if no significant changes to policies, procedures, or operations\nhave occurred during the previous year. Although the Postal Service is no longer cross-\ncertified, we conducted this audit to ensure the Postal Service external PKI services\ncontinue to operate at a level to become certified with the FBCA.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine whether the Postal Service effectively\nmanaged its external PKI services in compliance with established guidance. We\nconducted our work xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\nAs permitted by X.509 Certificate Policy for the Federal Bridge Certification Authority\n(FBCA) Section 8.1 and requested by Postal Service management, we performed a\ndelta compliance audit covering all changes to policies, procedures, or operations that\nmay have occurred during the previous year.\n\nWe reviewed the following topics as required by a delta compliance audit for the\nexternal PKI environment:\n\n         \xef\x82\xb7   Personnel controls\n         \xef\x82\xb7   Separation of duties\n         \xef\x82\xb7   Internal audit review frequency and scope\n         \xef\x82\xb7   Types of events recorded in physical and electronic audit logs\n         \xef\x82\xb7   Protection of physical and electronic audit data\n         \xef\x82\xb7   Physical security controls\n         \xef\x82\xb7   Backup and archive generation and storage\n         \xef\x82\xb7   Items requiring resolution from the fiscal year (FY) 2008 PKI compliance audit\n\nWe used the following Postal Service policy documents, dated May 26, 2009, for this\naudit:\n\n         \xef\x82\xb7   USPS Public Key Infrastructure (PKI) X.509 Certificate Policy (CP), Version\n             1.67\n         \xef\x82\xb7   USPS Root Certification Authority (CA) Certification Practice Statement\n             (CPS), Version 1.19\n         \xef\x82\xb7   USPS Intermediate Certification Authority (CA) Certification Practice\n             Statement (CPS), Version 1.19\n         \xef\x82\xb7   USPS Subordinate Certification Authority (CA) Certification Practice\n             Statement (CPS), Version 1.19\n\n\n\n4\n A delta compliance audit covers all significant changes from the previous year and also covers specific topics\ndescribed in the Objectives, Scope, and Methodology section of this report.\n\n\n\n                                                         5\n                                              Restricted Information\n\x0cExternal Public Key Infrastructure Services \xe2\x80\x93                                    IS-AR-09-012\n Fiscal Year 2009\n\n\nTo determine whether personnel controls were in place, we reviewed security clearance\nrecords for PKI personnel and interviewed staff regarding proper training for PKI\npersonnel. Further, we verified that PKI personnel received notification of changes to\nCA operations and verified that CP and CPS documents were available via the Internet.\n\nTo determine if separation of duties were effective, we reviewed the official designation\nof PKI roles and responsibilities, interviewed staff regarding sensitive tasks that require\nat least two individuals to complete, verified that operations manuals were available to\nPKI personnel, reviewed group and user settings xxxxxxxxxxxxxxxxxxx, and reviewed\nCA server configurations.\n\nTo verify PKI auditing functions, we interviewed staff regarding internal auditing\nprocedures, frequency, and scope; reviewed events recorded in audit logs and audit log\nsummary reports; and reviewed CA server audit policy settings. To verify the security of\nphysical and electronic audit data, we reviewed and tested PKI security settings and\nverified that physical controls were in place for access to the CA room.\n\nTo validate physical security controls, we reviewed CA room access lists and tested\naccess controls to the room. We interviewed xxxxxxxxxxxxxxxxxxxxxxxxxx facility staff\nregarding environmental controls and observed and validated controls in the physical\nenvironment.\n\nTo verify procedures for backup and archive generation and storage, we interviewed\nstaff regarding backup and archival processes, validated the daily backup mechanism,\nwitnessed the movement of backup media for off-site rotation, and verified archive\nretention periods.\n\nTo validate that management has taken corrective action on items from the FY 2008\nPKI compliance audit, we verified the changes during fieldwork and reviewed the\ncurrent CP and CPS documentation versions to ensure the stated changes were in\nplace.\n\nWe conducted this performance audit from April through September 2009 in accordance\nwith generally accepted government auditing standards and included such tests of\ninternal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objective. We discussed our\nobservations and conclusions with management officials throughout the audit and on\nSeptember 4, 2009, and included their comments where appropriate.\n\n\n\n\n                                                      6\n                                           Restricted Information\n\x0c        External Public Key Infrastructure Services \xe2\x80\x93                                                 IS-AR-09-012\n         Fiscal Year 2009\n\n\n        PRIOR AUDIT COVERAGE\n\n                              Report             Final Report\n    Report Title              Number                 Date                            Report Results\nCompliance Audit of         IS-AR-08-017      September 11, 2008      In general, we found the Postal Service was\nthe Postal Service\xe2\x80\x99s                                                  effectively managing its PKI services in\nExternal Public Key                                                   compliance with established guidance as stated\nInfrastructure Services                                               in their CP and CPS. However, we identified 12\n                                                                      instances of non-compliance between the Postal\n                                                                      Service\xe2\x80\x99s PKI policies and its external PKI\n                                                                      environment. Of these, management corrected\n                                                                      two and developed resolution plans for the\n                                                                      remaining 10. Management agreed with our\n                                                                      recommendation and stated they would establish\n                                                                      milestones to implement resolution for the\n                                                                      remaining non-compliant issues in the external\n                                                                      PKI environment by December 31, 2008. During\n                                                                      the FY 2009 audit, we verified that nine of the 10\n                                                                      remaining instances of non-compliance were\n                                                                      completed and that management was in the\n                                                                      process of correcting the remaining issue.\nCompliance Audit of         IS-AR-08-001         October 5, 2007       In general, we found the Postal Service\xe2\x80\x99s\nthe Postal Service\xe2\x80\x99s                                                   external PKI environment complies with their CP,\nExternal Public Key                                                    CPS, and any applicable Memorandum of\nInfrastructure Services                                                Agreement . However, the Postal Service could\n                                                                       improve their external PKI environment by\n                                                                       mitigating the remaining instances of its non-\n                                                                       compliance with Postal Service PKI policies and\n                                                                       procedures in the external PKI environment.\n                                                                       Management agreed with our recommendation\n                                                                       and stated they would develop a risk mitigation\n                                                                       plan by October 31, 2007. We verified that\n                                                                       management resolved the remaining FY 2007\n                                                                       instances of non-compliance during the FY 2008\n                                                                       audit.\nInformation for the         IS-WP-07-001         October 2, 2006      We concluded that, as of September 1, 2006, the\nFederal Bridge                                                        Postal Service\xe2\x80\x99s PKI operations conformed to the\nCertification Authority                                               CPS documents.\n\n\n\n\n                                                              7\n                                                   Restricted Information\n\x0c        External Public Key Infrastructure Services \xe2\x80\x93                                                IS-AR-09-012\n         Fiscal Year 2009\n\n\n\n                              Report             Final Report\n    Report Title              Number                 Date                            Report Results\nCertificate Authority       IS-AR-06-015       September 1, 2006      We performed a follow-up audit and reviewed\nPublic Key                                                            items identified in a March 2006 audit performed\nInfrastructure                                                        by Klynveld Peat Marwick Goerdeler LLP. We\nCompliance xxxxxx                                                     determined the Postal Service had corrected\nxxxxxxxxxxx                                                           most of the issues identified in the report.\nxxxxxxxxxxxxxx                                                        However, management could make\nxxxxxxxxxxxxxxxxxx                                                    improvements by establishing and assigning the\nxxxxxxxxxxxxxxx,                                                      HSPD-12 Registration Authorities and\nxxxxxxxxx                                                             Subscribers and completing the CA-PKI backup\n                                                                      environment.\n\n                                                                      Management agreed with the recommendation\n                                                                      and stated that the completion date for the PKI\n                                                                      backup site was September 1, 2006.\n\n\n\n\n                                                              8\n                                                   Restricted Information\n\x0cExternal Public Key Infrastructure Services \xe2\x80\x93                                        IS-AR-09-012\n Fiscal Year 2009\n\n\n                              APPENDIX B: DETAILED ANALYSIS\n\nPostal Service PKI Policies and FBCA CP\n\nWe found differences between the Postal Service CP, the Postal Service root CA CPS,\nintermediate CA CPS, subordinate CA CPS, and the FBCA CP. Specifically we found:\n\n    \xef\x82\xb7   The Postal Service CP did not specify PKI in the titles of the CA Administrator,\n        Operator, and Backup Operator as stated in the root, intermediate, and\n        subordinate CPS.\n\n    \xef\x82\xb7   The Postal Service CP, root, intermediate, and subordinate CPS did not contain\n        the word, \xe2\x80\x9cSecurity\xe2\x80\x9d, in the Section 5.3.1 title as stated in the Section 5.3.1 title in\n        the FBCA CP.\n\n    \xef\x82\xb7   Role responsibilities of the PKI Certificate Manager, CA Administrator, and PKI\n        Disaster Recovery Facility Coordinator were missing in the Postal Service CP,\n        intermediate CPS, and subordinate CPS.\n\n    \xef\x82\xb7   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\nPostal Service staff did not perform periodic reviews of PKI policies to ensure they were\nconsistent with each other and with federal PKI policy. Inconsistent PKI policies could\ndelay future cross-certification between the Postal Service and the FBCA.\n\nPostal Service External PKI Policies and PKI Environment\n\nWe found some policies stated in the Postal Service CPS were not followed in the\nPostal Service external PKI environment. Specifically:\n\n    \xef\x82\xb7   The PKI xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx were not consistent with the\n        description of the file in the root, intermediate and subordinate CPS.\n\n    \xef\x82\xb7   All Postal Service PKI xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx from what was\n        stated in the root, intermediate, and subordinate CPS.\n\n    \xef\x82\xb7   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n        xxxxxxxxxxxxxxxxxxxxxxx.\n\nPostal Service PKI policies were not periodically reviewed to ensure the environment\nwas operating in compliance with stated policies because of limited focus on cross-\ncertification prior to the planned closing of the external PKI environment. Management\n\n\n\n                                                      9\n                                           Restricted Information\n\x0cExternal Public Key Infrastructure Services \xe2\x80\x93                                      IS-AR-09-012\n Fiscal Year 2009\n\n\ncould delay future cross-certification between the Postal Service and the FBCA by not\noperating the external PKI environment in compliance with PKI policies.\n\nIn Table 1, we summarized the results of our review of the Postal Service CP and CPS\ndocuments. All 711 items we reviewed were compliant at the time we issued this report.\n\n                                  Table 1 \xe2\x80\x93 Status of Compliance\n\n                Status of Items Reviewed                            Total   Percentage\n       Compliant with environment                                    701          98.6\n       Non-compliant items corrected                                  10            1.4\n       Non-compliant items outstanding                                 0            0.0\n       Total items reviewed                                          711         100.0\n\n\n\n\n                                                     10\n                                           Restricted Information\n\x0cExternal Public Key Infrastructure Services \xe2\x80\x93                       IS-AR-09-012\n Fiscal Year 2009\n\n\n                        APPENDIX C: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                     11\n                                           Restricted Information\n\x0cExternal Public Key Infrastructure Services \xe2\x80\x93                       IS-AR-09-012\n Fiscal Year 2009\n\n\n\n\n                                                     12\n                                           Restricted Information\n\x0cExternal Public Key Infrastructure Services \xe2\x80\x93                              IS-AR-09-012\n Fiscal Year 2009\n\n\n           APPENDIX D: COMPLIANCE LETTER TO FEDERAL PUBLIC KEY\n                     INFRASTRUCTURE POLICY AUTHORITY\n\nThe audit letter of compliance and background information required for the FPKIPA\nbegins on the next page.\n\n\n\n\n                                                     13\n                                           Restricted Information\n\x0cSeptember 18, 2009\n\nROSS PHILO\nEXECUTIVE VICE PRESIDENT, CHIEF INFORMATION OFFICER\n\nSUBJECT:     External Public Key Infrastructure Services \xe2\x80\x93 Fiscal Year 2009\n\nWe performed an audit to determine if the U.S. Postal Service effectively managed its\nexternal Public Key Infrastructure (PKI) services in compliance with established\nguidance. This audit was performed to ensure that the external PKI services continue\nto operate at a level to become certified with the U.S. Government\xe2\x80\x99s Federal Bridge\nCertification Authority.\n\nAudit Methodology\n\nWe conducted this audit from April through September 2009, in accordance with\ngenerally accepted government auditing standards. As permitted by X.509 Certificate\nPolicy for the Federal Bridge Certification Authority (FBCA) Section 8.1, we performed a\ndelta compliance audit covering all changes to policies, procedures, or operations that\nmay have occurred during the previous year. We reviewed the following topics as\nrequired by a delta compliance audit for the external PKI environment:\n\n   \xef\x82\xb7   Personnel controls\n   \xef\x82\xb7   Separation of duties\n   \xef\x82\xb7   Internal audit review frequency and scope\n   \xef\x82\xb7   Types of events recorded in physical and electronic audit logs\n   \xef\x82\xb7   Protection of physical and electronic audit data\n   \xef\x82\xb7   Physical security controls\n   \xef\x82\xb7   Backup and archive generation and storage\n   \xef\x82\xb7   Items requiring resolution from the FY 2008 PKI compliance audit\n\nDocuments and Criteria\n\nWe used the following Postal Service policy documentation, dated May 26, 2009, as\ncriteria during our audit:\n\n   \xef\x82\xb7   USPS Public Key Infrastructure (PKI) X.509 Certificate Policy(CP), Version 1.67\n   \xef\x82\xb7   USPS Root Certification Authority (CA) Certification Practice Statement (CPS),\n       Version 1.19.\n\x0c   \xef\x82\xb7   USPS Intermediate Certification Authority (CA) Certification Practice Statement\n       (CPS), Version 1.19.\n   \xef\x82\xb7   USPS Subordinate Certification Authority (CA) Certification Practice Statement\n       (CPS), Version 1.19.\n\nEvaluation of Effective Management of Postal Service External PKI Environment\nin Compliance with Established Guidance\n\nAs of September 15, 2009, the Postal Service effectively managed its external PKI\nenvironment in compliance with established guidance. We reviewed 711 external PKI\ncomponents documented in the criteria listed previously. Although we found 10\ninstances of non-compliance, we considered them insignificant to the overall external\nPKI environment.\n\nThe attachment to this letter contains the identity and qualifications of the U.S. Postal\nService Office of Inspector General (OIG) personnel who conducted this audit.\n\n\n   E-Signed by Darrell E. Benjamin, Jr\n   VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachment\n\ncc: John T. Edgar\n    Charles L. McGann, Jr\n    Mark J. Stepongzi\n    Joseph J. Gabris\n    Bill Harris\n\n\n\n\n                                                    2\n                                         Restricted Information\n\x0c ATTACHMENT: BACKGROUND FOR FPKIPA AUDIT LETTER OF COMPLIANCE\n\nIdentity of the Auditors:\n\n      United States Postal Service\n      Office of Inspector General\n      1735 N. Lynn Street\n      Arlington, VA 22209-2020\n\n      Darrell E. Benjamin, Jr\n      Frances M. Cain\n      Michael Blaszczak\n      Ruth Smolinski\n      Kimberly Jones\n      Maria Gomez\n\nCompetence of the Auditors:\n\n      Darrell Benjamin, CPA, CIA, 20 years of audit experience\n      Frances Cain, CISA, 17 years of audit experience\n      Michael Blaszczak, CISA, CIPP, 13 years of audit experience\n      Ruth Smolinski, CISA, 3 years of audit experience\n      Kimberly Jones, 9 years of audit experience\n      Maria Gomez, CISA, CIA, 10 years of audit experience\n\nExperience of Auditors Auditing PKI Systems:\n\n      The OIG has been involved in the Postal Service\xe2\x80\x99s PKI effort since August 2005.\n      The OIG has performed several audits of the PKI environment.\n\nRelationship of the Auditor to the U.S. Postal Service:\n\n      The OIG was authorized by law in 1996. The Inspector General, who is\n      independent of Postal Service management, is appointed by and reports directly\n      to the nine Presidentially-appointed Governors of the Postal Service. The\n      primary purpose of the OIG is to prevent, detect, and report fraud, waste and\n      program abuse and promote efficiency in the operations of the Postal Service.\n\n\n\n\n                                            3\n                                 Restricted Information\n\x0c'